A Guide to CCPA Compliance in Office 365

Finding ways to stay compliant in the digital age can be difficult. While many brands are focused on the critical tech components of modern business (i.e., cloud, DevOps, agile, etc.) compliance still remains one of the most important pillars of success across business channels.

But, keeping track of all of those compliance issues can be headache-inducing. HIPPA, FINRA, GDPR, CCPA, etc. are all unique compliance programs that exist in their own ecosystem of the regulatory process. Here’s the problem — over 40% of businesses that had a policy come under review were subjected to legal or external regulatory action in 2018. Not only do compliance failures impact your business financially, but they can also leave a lasting stain on your reputation when the action is taken public.

Today, we’re going to take a look at one of the newcomers in data privacy compliance — the California Consumer Privacy Act — and how you can remain CCPA compliant within your Office 365 framework.

What is the California Consumer Privacy Act (CCPA)?

The California Consumer Privacy Act (CCPA) is a new, post-GDPR data privacy law coming out of California. The law itself will go into effect on January 1st, 2020, and it’s set to alter the landscape U.S. data privacy.

While it may seem that CCPA will only impact California businesses, it applies to all companies that do business in California — which includes all enterprises and a significant portion of SMEs. For safety, we heavily recommend that all businesses stay CCPA compliant.

The Specifics

Let’s take a quick (though certainly not exhaustive) look at some of the broader details of the California Consumer Privacy Act.

Consumers have the right to opt-out. Unlike the GDPR, which has a total opt-out option, CCPA only allows consumers to opt-out of their data being sold. The definition of data being sold is extremely broad in the case of CCPA. Virtually all B2B data transfer is considered “data sold” under the law. This means that consumer must receive an opt-out form prior to that data transfer. A critical component of the CCPA is that all business must place an opt-out link on both their home page and in their privacy settings. This opt-out must be accessed without signups, logins, or anything of that nature.

Consumers have the Right of Access. This means that consumers can request specifics on all information that has been collected on them, and that information must be provided.

Consumers have the Right to Delete (sort-of). The law requires that consumers have the right to ask that their data be deleted. But, the law also contains plenty of exceptions, including — security, internal use, research, compliance, etc.

Children have to opt-in. Any person under 16 must opt-in for data collection. And, any child under 13 must have their parent (or guardian) opt-in.

There are plenty of specifics baked into the law that we won’t go over here. But, it’s safe to say that the CCPA is changing the landscape of both data acquisition and data transfer for almost every business in the United States — and many abroad.

What are the Differences Between CCPA and GDPR?

You may be wondering what the differences between CCPA and GDPR are. After all, CCPA certainly took influence from GDPR — as evidenced by its language and specifics.

Here are the main differences, though there are plenty of nuanced differences between the two.

The definition of “personal information“. While GDPR defines personal information as “information relating to an identified or identifiable person, directly or indirectly.” This means that SSN info, addresses, license plate numbers, and information of that nature falls under GDPR. With CCPA, the term personal information is much more loosely defined. This means that information such as browsing history or behavioral data are covered under CCPA.

The opt-in. GDPR requires that customer opt-in before data can be collected on them. CCPA gives them the right to opt-out of data used in specific situations.

The stick. GDPR can impose a penalty of 4% of your businesses entire annual global turnover. Of course, these fines are defined by many complex factors. This includes a company’s willingness to participate in standard practices post-breach. CCPA, on the other hand, can fine businesses between $2,500 and $7,500 per incident depending upon the severity. It’s important to note that CCPA allows consumers also to take legal action against a company on top of the fines that it imposes.

It’s important to note that most businesses should follow both GDPR and CCPA, meaning that data compliance can easily become complicated without the right systems in place.

Luckily, Office 365 can help you manage your compliance through robust frameworks and a rigorous compliance manager.

How to Configure Compliance CCPA Compliance in Office 365

Two employees check the consumer data analytics of the company.

Currently, Office 365 doesn’t have “native” CCPA compliance support — since the law has yet to go into effect. But, there are some ways to glue CCPA compliance to your Office 365 framework using Microsoft’s Compliance Manager.

Using GDPR Frameworks to Begin Your CCPA Compliance Journey

What Office 365 does have is GDPR compliance frameworks that you can set up through Microsoft’s Compliance Manager. Since GDPR and CCPA share so many commonalities, you can jump into CCPA compliance early via GDPR processes.

This includes things like right-of-access, erasure, data management, etc. Not only does Microsoft’s Compliance Center has some incredibly robust GDPR tools, but it also takes you on a step-by-step journey of setting them up and tracking them throughout your compliance lifecycle.

Using Data Subject Requests (DSRs) in Compliance Manager

Compliance Manager also gives you access to Data Subject Request (DSR) tools that you can use to prepare for CCPA. You can use these to discover actions and gather responsive documents, retrieve personal data within Office 365 relating to specific subjects, make changes, restrict access, export, and even delete data depending on the particular circumstances.

How to Encrypt and Protect Data in Office 365

Security breaches have become one of the most intimidating aspects of data collections of big business. In fact, 31% of organizations have experienced cyber attacks related to data acquisition, and the average cost for each stolen identifiable record was $225 in the United States in 2017 — and that number is steadily rising.

Finding ways to protect your business against these attacks is mission-critical. Office 365 lets you safeguard data in a few ways, including the ability to protect data by U.S. PII sensitive data types as well as advanced Office 365 message encryption technology that helps safeguard emails and Teams compliance capabilities.

Final Thoughts

While Office 365 has some tools to stay CCPA compliant, the bulk of the responsibility still falls on the business. You need to include data privacy and security into your everyday practices and use them as a driver for future success.

Want to know how?

Agile IT offers governance and compliance solutions ranging from onboarding and training to fully managed compliance solutions. To find out more, request a quote!